Serious Adversaries Circle Ivanti CSA Zero-Day Flaws

  /     /     /  
Publicated : 23/11/2024   Category : security


Serious Adversaries Circle Ivanti CSA Zero-Day Flaws


Suspected nation-state actors are spotted stringing together three different zero-days in the Ivanti Cloud Services Application to gain persistent access to a targeted system.



A deft chaining together of three separate zero-day flaws in Ivantis Cloud Service Appliance allowed a particularly potent cyberattacker to infiltrate a target network and execute malicious actions, leading researchers to conclude a nation-state actor was actively targeting these vulnerable systems.
Fortinets FortiGuard Labs published its findings, warning that any organization running Ivantis CSA version 4.6 and prior without taking necessary remediation precautions is vulnerable to this method of attack.
The details of the newly uncovered attack chain come amid the announcement of a bevy of additional
security flaws in Ivantis CSA
also under active exploit.
The advanced adversaries were observed exploiting and chaining zero-day vulnerabilities to establish beachhead access in the victims network, Fortinets
report
said. This incident is a prime example of how threat actors chain zero-day vulnerabilities to gain initial access to a victim’s network.
The three specific Ivanti CSA flaws used in the attack were a command injection flaw in the DateTimeTab.php resource tracked as CVE-2024-8190, a critical path traversal vulnerability in the /client/index.php resource tracked as CVE-2024-8963, and an unauthenticated command injection vuln tracked as CVE-2024-9380 affecting reports.php.
Once initial access was established using the path traversal bug, the threat group was able to exploit the command injection flaw in the resource reports.php to drop a Web shell. The group exploited a separate SQL injection flaw on Ivantis backend SQL database server (SQLS) tracked as CVE-2024-29824 to gain remote execution on the SQLS system, the researchers noted.
After Ivanti released a patch for the command injection flaw, the attack group acted to ensure other adversaries do not follow them onto the compromised systems. On September 10, 2024, when the advisory for CVE-2024-8190 was published by Ivanti, the threat actor, still active in the customers network, patched the command injection vulnerabilities in the resources /gsb/DateTimeTab.php, and /gsb/reports.php, making them unexploitable, the FortiGuard Labs team added in the report. In the past, threat actors have been observed to patch vulnerabilities after having exploited them, and gained foothold into the victims network, to stop any other intruder from gaining access to the vulnerable asset(s), and potentially interfering with their attack operations.
In this instance, analysts suspected the group was trying to use sophisticated techniques to maintain access, including launching a DNS tunneling attack via PowerShell, and dropping a Linux kernel object rootkit on the compromised CSA system.
The likely motive behind this was for the threat actor to maintain kernel-level persistence on the CSA device, which may survive even a factory reset, Fortinet researchers said.

Last News

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Serious Adversaries Circle Ivanti CSA Zero-Day Flaws